Author Topic: I have problem with win32:malware-gen  (Read 57678 times)

0 Members and 1 Guest are viewing this topic.

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #15 on: March 07, 2012, 12:18:56 AM »
Hi,

This is how to attach a log to your post

Quote
To attach :
Press Reply
Attachments and other options
Attach:
Choose File
Locate the OTL log
Select the OTL log
« Last Edit: March 07, 2012, 12:28:09 AM by jeffce »

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #16 on: March 07, 2012, 10:55:23 AM »
Here it is

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #17 on: March 07, 2012, 01:42:15 PM »
Hi QNtas,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKCU..\Run: [TorrentRatioKeeper] "D:\Ratio\Torrent Ratio Keeper\TorrentRatioKeeper.exe" /s File not found
O8:[b]64bit:[/b] - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O8 - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell\AutoRun\command - "" = G:\INSTALL.EXE
[65442 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-------------------

In your next reply please post both of the logs that will be created by OTL when you are finished.  :)

ClassyJakey

  • Guest
Re: I have problem with win32:malware-gen
« Reply #18 on: March 07, 2012, 04:43:37 PM »
Hi QNtas,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKCU..\Run: [TorrentRatioKeeper] "D:\Ratio\Torrent Ratio Keeper\TorrentRatioKeeper.exe" /s File not found
O8:[b]64bit:[/b] - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O8 - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell\AutoRun\command - "" = G:\INSTALL.EXE
[65442 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-------------------

In your next reply please post both of the logs that will be created by OTL when you are finished. 
Is it also for windows 7? and 8? just incase if he has one of those

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #19 on: March 07, 2012, 06:05:58 PM »
i have windows 7

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #20 on: March 07, 2012, 06:11:28 PM »
Hi QNtas,

Go ahead and use the fix I provided. 

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #21 on: March 07, 2012, 06:26:36 PM »
i run it, but do i need run new scan same as before (just not check  LOP Check and Purity Check) yes?

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #22 on: March 07, 2012, 06:31:15 PM »
Yes...once done with the running the fix, please run a new scan same as before but not with LOP or Purity checked.  :)  There will be a log showing what was removed after the fix and then the log with the new information created with the new run. 

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #23 on: March 07, 2012, 08:33:32 PM »
Here it is

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #24 on: March 07, 2012, 08:47:47 PM »
Hi,

Did you follow the instructions I provided in post 17?  If you are having any problems running anything let me know.  :)

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #25 on: March 07, 2012, 08:55:03 PM »
yes i do and i download that ERUNT, but i dont know or i need to check Minimal output then I run fix. And what i need to write "custom/scan fixes" then I run scan .

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #26 on: March 07, 2012, 09:04:35 PM »
Ok....in post 17 there is a code box with information that I provided.  It starts with my quote below...but be sure to copy everything in the code box

Quote
Code: [Select]
:Services

:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}...

Now follow the instructions with the picture below. 

When that scan is complete there will be a log made automatically.  Save that for your next reply.

Run a new scan with OTL being sure that minimal is selected and that LOP and Purity are not selected this time.  When that is finished there will be another log created.  Save that as well for your next reply.

Please post, once done, both of the logs made by OTL.


QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #27 on: March 08, 2012, 09:33:09 AM »
Hi, I have problems with scan fix. then it complete program asked me to reboot system and do not open any log for me

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #28 on: March 08, 2012, 01:51:22 PM »
Hi QNtas,

I apologize if my instructions have not been clear enough.  :(  Let's do this one step at a time.

In the picture I provided above, you can see the section labeled Custom Scans/Fixes? 
I want you to copy/paste the information I provide below inside of the Code Box into the Custom Scans/Fixes box in OTL.

Code: [Select]
:Services

:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKCU..\Run: [TorrentRatioKeeper] "D:\Ratio\Torrent Ratio Keeper\TorrentRatioKeeper.exe" /s File not found
O8:[b]64bit:[/b] - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O8 - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell\AutoRun\command - "" = G:\INSTALL.EXE
[65442 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]

Now, once the text is placed into the Custom Scans/Fixes box in OTL, I want you to press the Run Fix button. 
OTL will start running automatically and I want you to let it run through to the end. 
After OTL has been run, there will be a log that opens automatically either before or after the system reboots. 
Please save that log and post it into your next reply.

Dont' worry about running OTL again yet...we will come back to that.  :)

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #29 on: March 08, 2012, 06:59:43 PM »
I do that but nothing. just write fix complete and shop table to reboot system. Do not open log file